3

My API needs three types of users and I want to manage it with custom role definitions. Is it possible to create roles on Azure B2c then assign these roles to the users by Microsoft Graph API?

Ogglas
  • 62,132
  • 37
  • 328
  • 418
Kadir Alan
  • 209
  • 1
  • 13
  • https://mrochon.azurewebsites.net/2019/05/06/using-groups-in-azure-ad-b2c/ – rbrayb Dec 16 '21 at 19:12
  • Thanks but it seems very old answer. I think there is built-in, better solution on azure ad b2c. – Kadir Alan Dec 16 '21 at 19:31
  • Does this answer your question? [Authorize By Group in Azure Active Directory B2C](https://stackoverflow.com/questions/40302231/authorize-by-group-in-azure-active-directory-b2c) – Ogglas Jan 31 '22 at 10:31

2 Answers2

0

You could create an extension attribute called extension_role, and use Graph API to write the role name to this attribute.

Example on how to create and write to the extension attribute here.

Then in AAD B2C custom policy, read the extension attribute and insert it into the token.

Eg, read the attribute on sign in/up:

        <TechnicalProfile Id="AAD-UserReadUsingObjectId">
          <Metadata>
            <Item Key="Operation">Read</Item>
            <Item Key="RaiseErrorIfClaimsPrincipalDoesNotExist">true</Item>
          </Metadata>
          <IncludeInSso>false</IncludeInSso>
          <InputClaims>
            <InputClaim ClaimTypeReferenceId="objectId" Required="true" />
          </InputClaims>
          <OutputClaims>
            <OutputClaim ClaimTypeReferenceId="extension_role" />
          </OutputClaims>
          <IncludeTechnicalProfile ReferenceId="AAD-Common" />
        </TechnicalProfile>

Insert into token:

  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="extension_role" />
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />

      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
0

Am working toward the same goal , so here is what I found until this moment:

  • Use Custom Policies with Identity Esperience Framework (IEF) : Here is an example of custom policies on RBAC example :
  • Manually call the Graph API ( using msal library ) with the objectId of the connected user and an access token in order to get the groups to which the user belong : In this case you will create a group for each role , affect the users to the right groups based on their role, by finding the users group , u know what's his role , here is an example of implementing this kind of authorization on .Net5 web api and web App.

Didn' find anything related to managing users access with roles , so if you found any , do not hesitate to share . Thanks

Ferhi Malek
  • 484
  • 4
  • 15